In January 2018, the Office of the Privacy Commissioner of Canada (the "Commissioner") and the United States Federal Trade Commission (the "FTC") provided important and practical guidance regarding cybersecurity in response to the VTech data breach. As discussed below, the VTech case contains a number of key takeaways for organizations and is part of a growing body of regulatory guidance regarding cybersecurity.
VTech is a global supplier of electronic learning products for children and the world's largest manufacturer of cordless phones. In November 2015, an unauthorized user gained access to several different VTech cyber environments, via "SQL injection" and other methods.
Since VTech was not able to determine the exact scope of the compromised data on the relevant systems in the course of its investigation, it assumed that all data could have been accessed or copied. VTech released a public statement announcing the breach in late November 2015 and formally notified the Commissioner in December 2015.
The compromised data included information on parents' accounts (name, email address, secret question, answer for password retrieval, etc.), information about children (child's name, gender, birthdate, photos, etc.) as well as chat messages between parents and their children. The breach affected over 500,000 Canadians (including over 300,000 children) and over 5 million Americans.
The attacker in the breach was ultimately arrested and the accessed information was recovered from his devices. There was no indication that the attacker provided copies of, or access to, the compromised information to anyone else, or that further disclosures of the information occurred.
Guidance from the Office of the Privacy Commissioner of Canada
In Canada, the Commissioner received a complaint from an affected VTech customer and commenced an investigation to assess the company's compliance with the Personal Information Protection and Electronic Documents Act ("PIPEDA").
On January 8, 2018, the Commissioner announced the completion of the investigation and issued a related Report of Findings in which it concluded that VTech had failed to adopt adequate security measures to protect personal information, but that the company had since taken satisfactory corrective action to remedy the situation.
PIPEDA requires organizations to protect personal information using security safeguards (i.e. physical, organizational and technological) appropriate to the sensitivity of the information (i.e. amount, distribution, format and method of storage). In the view of the Commissioner, VTech did not implement adequate organizational and technological safeguards to protect customers' personal information, particularly in light of the sensitivity of the information under VTech's control (which related to children, considered a vulnerable group) and the number of individuals affected (millions of customers). More specifically, the Commissioner identified the following technological and organizational deficiencies, which provide useful guidance for other organizations seeking to understand the Commissioner's expectations in relation to safeguarding personal information under PIPEDA:
- Testing and Maintenance: VTech did not have a program of regular testing in place to identify and mitigate security vulnerabilities;
- Access Controls: VTech did not take the appropriate measures to limit the number of individuals with administrative access and to limit the scope of access available via individual accounts;
- Cryptography: VTech did not use adequate cryptography to protect sensitive information (e.g. storage of certain information in plaintext or communication of certain customer communications in clear text);
- Logging and Monitoring: VTech lacked sufficient host and network security logging and monitoring to detect potential threats or unauthorized/unusual activity; and
- Security Management Framework: VTech did not have a comprehensive overarching data security policy, associated training or a program for regular risk assessments and policy reviews.
The above findings build on earlier guidance provided by the Commissioner, which is discussed below.
Federal Trade Commission Settlement
In the United States, the FTC launched a lawsuit against VTech for alleged noncompliance with the Children's Online Privacy Protection Act and the Federal Trade Commission Act.
On January 8, 2018, the FTC announced a settlement by way of a Stipulated Order (PDF) that requires, among other things, VTech to pay a $650,000 civil penalty and implement a comprehensive data security program. This mandated program must contain "administrative, technical, and physical safeguards appropriate to VTech's size and complexity, the nature and scope of VTech's activities, and the sensitivity of the personal information", including:
- The designation of an employee or employees to coordinate and be responsible for the information security program;
- The identification of internal and external risks to the security, confidentiality, or integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks;
- The design and implementation of reasonable safeguards to control these risks, and regular testing or monitoring of the effectiveness of the safeguards;
- The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from VTech, and requiring service providers, by contract, to implement and maintain appropriate safeguards; and
- The evaluation and adjustment of the information security program in light of the results of the testing and monitoring required, any changes to VTech's operations or business arrangements, or any other circumstances.
Growing Regulatory Guidance Regarding Cybersecurity
The findings in the VTech case are the latest in a growing body of guidance from Federal and Provincial Privacy Commissioners (and sector-specific regulators) in recent years in Canada in relation to cybersecurity and data breaches. Building on its research paper titled Privacy and Cyber Security: Emphasizing privacy protection in cyber security activities, the Commissioner has issued a number of findings under PIPEDA which reflect the range of internal and external risks that organizations can face in respect of personal information, in addition to the findings in the Ashley Madison finding discussed below. These findings include:
- Incident Summary #11 (2016) Financial institution reacts quickly to mass-mailing error;
- Incident Summary #12 (2016) - Break with security procedures exposes financial planner's client to privacy breach;
- PIPEDA Report of Findings #2015-011 - Bank implements significant measures to address unauthorized access of client information for non-business purposes by bank employee;
- PIPEDA Report of Findings #2015-008 - Individual's personal information fraudulently used by sales representative to issue him a new credit card; and
- PIPEDA Report of Findings #2015-007 - Financial institution takes strong remedial measures after insufficient safeguards and unnecessary storage leaves sensitive data vulnerable to breach.
For example, in the final finding above, the Commissioner concluded that, as a result of the organization's breaches of PIPEDA, "compromised customer information was, unbeknownst to the organization, stored unnecessarily, in duplicate form and unencrypted, on a web server that had not been updated to address a well-known vulnerability, and was not monitored for potential security threats." Lessons learned from the above findings emphasize the need to mitigate against threats, including through proactive measures (e.g. auditing employee access to personal information) designed to detect and deter misconduct, as well as training about privacy and the consequences that can flow from snooping.
In addition, in the last major breach-related finding prior to the VTech case, in 2016 the Commissioner issued a landmark finding in PIPEDA Report of Findings #2016-005 - Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner, which provided significant guidance to organizations seeking to ensure compliance with PIPEDA and the safeguarding obligation in particular. In the wake of a high-profile hack of the adult dating website Ashley Madison, and publication of a significant amount of personal information stolen in the hack, the Commissioner conducted an investigation and determined that Ashley Madison had not complied with a number of obligations under PIPEDA.
The Commissioner conducted an in-depth investigation into Ashley Madison, which involved interviews with the Chief Operating Officer, General Counsel and Vice Presidents, as well as reviewing: written responses to information requests, website terms and conditions, PCI incident and compliance reports, information provided by a cybersecurity consultant, IT operational procedures, and information security and privacy training material. Initially in the findings, the Commissioner noted that Ashley Madison had taken a number of positive steps in its response to the incident, including:
- Suspending VPN remote access
- Engaging experts to assist in response
- Issuing press release and contact information regarding the breach
- Notifying many of the affected individuals in writing
- Cooperating with the regulators
- Engaging experts to improve security and training and hired an experienced CISO
- Issuing take-down notices to websites where the stolen personal information was published
However, the Commissioner was critical of: (a) a lack of multi-factor authentication for remote administrative access to Ashley Madison systems, (b) absence of commonly used preventive and detective measures, and (c) poor key and password management practices (e.g. plain text storage of passwords, including in emails, and encryption keys stored in plain text).
Ultimately, the Commissioner concluded that organizations, such as Ashley Madison, which hold sensitive or large amounts of personal information are required under PIPEDA to have a security governance framework, including: (a) documented information security policy; (b) an explicit risk management process — including periodic and pro-active assessments of privacy threats, and evaluations of security practices; and (c) privacy and security training for all staff.
The VTech case is the latest in an important and growing body of guidance from privacy regulators and others, including the courts, in relation to cybersecurity. While the general safeguarding obligation in PIPEDA continues to provide considerable flexibility to organizations seeking to comply with that law, the VTech decision highlights a number of concrete and specific steps that the Commissioner will expect to see considered or taken to address cybersecurity in relation to personal information. Organizations should consider how their information security program (including their service providers) would measure up against the elements described in the VTech case and other findings discussed above, particularly in businesses that hold large amounts of sensitive information or personal information about employees, customers or others.